Blog - Page 2 of 3 - Nimbus-T | Secure Identity Management

Japan a global leader in cryptocurrency investment | The Japan Times

by MINORU MATSUTANI | Jan 23, 2018 | Blockchain, Cryptocurrency

Japan is the global leader in the market development of cryptocurrencies — a global buzzword recently — some of which have seen their values skyrocket over the past year.
As of Jan. 15, yen accounts for 56.2 percent of bitcoin, or BTC, the most popular cryptocurrency, according to coinhills.com. Yen is followed by U.S. dollars at 28.4 percent, while all others account for 15.4 percent. Chinese yuan used to account for the largest until January 2017, but dropped after the state imposed strict restrictions on cryptocurrency trading.

(more…)

Biotech M&A takes off as Sanofi and Celgene spend $20 billion

by Ben Hirschler, Sudip Kar-Gupta, Michael Erman | Jan 22, 2018 | Biopharma, Oncology

(Reuters) – Biotech deal activity exploded on Monday with French drugmaker Sanofi and U.S.-based Celgene spending a combined total of more than $20 billion to add new products for hemophilia and cancer to their medicine cabinets.

The acquisitions will fuel expectations for a busy year of mergers and acquisitions (M&A) as large drugmakers snap up promising assets from smaller rivals to help revive growth.

Sanofi agreed to buy U.S. hemophilia expert Bioverativ for $11.6 billion, its biggest deal for seven years, while Celgene is paying about $9 billion for the 90 percent of cancer specialist Juno Therapeutics it does not already own.

The two cash deals were agreed at a prices of $105 and $87 per share respectively. Shares in Bioverativ leaped 63 percent in early U.S. trading and Juno jumped 27 percent, reflecting the offers, while Sanofi fell 4 percent. Celgene was little changed.

Other biotech stocks were driven higher by the takeover news, with rivals to Juno including Bluebird Bio , Sangamo Therapeutics and Cellectis each gaining around 10 percent.

“The signs are good for biotech deal activity in 2018,” said Chris Stirling, head of KPMG’s global life sciences practice.

Big companies are under pressure from declining sales of older treatments and many are struggling to find sufficient high-value replacements from within their own laboratories, making buying in products and know-how an attractive option.

“It takes a long time to introduce technology that makes a significant difference, and in the interim CEOs are looking at any way to get their hands on product where they believe they can make a decent return,” Stirling said. “They’ve got to be seen to be doing things, otherwise they really struggle to convince investors.”

Both Sanofi and Celgene had been seen as likely multibillion-dollar acquirers.

BUSY START

FILE PHOTO: A scientist prepares protein samples for analysis in a lab at the Institute of Cancer Research in Sutton, Britain, July 15, 2013. REUTERS/Stefan Wermuth/File Photo

The French group, which faces mounting competition in its key diabetes unit, lost out on buying U.S. cancer firm Medivation to Pfizer in 2016, and also missed acquiring Swiss-based Actelion, which was bought by Johnson & Johnson last year.

Celgene, meanwhile, needs to dilute its reliance on cancer drug Revlimid. It had been widely tipped as a buyer for Juno, whose technology is at the cutting edge of cancer treatment.

Juno is one of several pioneers of a system to modify immune cells to fight tumors and its JCAR017 product is likely to reach the market in 2019, behind rival approval treatments from Novartis and Gilead.

FILE PHOTO:A scientist prepares protein samples for analysis in a lab at the Institute of Cancer Research in Sutton, July 15, 2013. REUTERS/Stefan Wermuth/File Photo.

Gilead only recently jumped into the space after acquiring Kite Pharma last year for $12 billion in one of the few standout deals during a relatively subdued year for biotech M&A.

Despite the late start, Celgene believes JCAR017 could have peak annual sales of $3 billion and it sees the acquisition being “incrementally additive” to net product sales in 2020. Following setbacks at Juno, Celgene is paying less than the $93 a share it stumped up for just under 10 percent of the company in 2015.

Sanofi expects Bioverativ, which was spun off from Biogen last year, can deliver commercial success despite rapid changes in the $10 billion hemophilia market posed by a novel drug from Roche and the potential of gene therapy to provide a one-time cure.

Those changes have spooked some investors but Sanofi is betting that the factor replacement therapies made by Bioverativ will remain the standard of care for many years and it expects the deal to boost earnings immediately.

Monday’s two big acquisitions build on an already busy start for 2018 biotech M&A, with Celgene earlier agreeing to acquire privately-held Impact Biomedicines for as much as $7 billion, including $1.1 billion upfront, and Novo Nordisk bidding $3.1 billion for Belgium’s Ablynx.

Separate reports this month by consultancy EY and law firm Baker McKenzie both predicted a significant rise in life sciences M&A in 2018, helped by U.S. tax changes that may lift big companies’ appetite for deals.

Lazard advised Sanofi on its deal, while Guggenheim Securities and J.P. Morgan worked for Bioverativ. J.P. Morgan also worked for Celgene and Morgan Stanley for Juno.

Additional reporting by Tamara Mathias, Matthias Blamont and Shubham Kalia; Editing by Edmund Blair and Alexander Smith

Our Standards:The Thomson Reuters Trust Principles.

Source: Biotech M&A takes off as Sanofi and Celgene spend $20 billion

SaveSave

Nations Seek the Elusive Cure for Cyberattacks

by DAVID E. SANGER | Jan 22, 2018 | Cybersecurity

Efforts to establish “norms of behavior” got a promising start, but are now falling apart. No one can even agree on when an act of aggression in cyberspace amounts to an act of war. The Pentagon, in its first nuclear strategy review since President Trump took office, is even proposing to use the threat of unleashing nuclear weapons against a country or group that delivered a devastating cyberattack against the critical infrastructure of the United States or its allies. But that doesn’t help with the problem of everyday attacks.

The most talented state sponsors of attacks — mostly Russia, China, Iran and North Korea — have carefully calibrated their operations in cyberspace to achieve their strategic aims while avoiding a real shooting war. So far they have succeeded. While there have been indictments of Iranian and Chinese hackers in major strikes on the United States, they have never seen the inside of an American courtroom.

North Korea has been a case study in how a nation learns to make use of its cyberweapons for disruption, revenge or profit, without fear of serious retaliation. It has learned how to station hackers around the world — in China, Malaysia, Thailand and elsewhere — and has gotten away with bolder and bolder attacks, from Wannacry to its raid on Bangladesh’s central bank, which nearly resulted in the theft of a billion dollars. (The transfers were halted after $81 million had passed through the Swift system, the international clearinghouse for transactions, after someone at the New York Fed discovered a spelling error — the word “fandation” for “foundation” — and stopped the heist. )

As James Lewis of the Center for Strategic and International Studies put it recently, “North Korea is both cautious and cunning in its use of force, including cyberattack.” But he added: “The North has been successful only against poorly protected targets, of which there are many, suggesting that there is a relatively low ceiling for its cyberattack capabilities.”

In fact, the explosion of state-sponsored, sophisticated cyberattacks over the past seven or eight years has been fueled, in large part, by the expansion of poorly protected targets. Yes, banks and major utilities have, for the large part, tightened their defenses, and tens of billions of dollars have been made by companies promising all kinds of cyber protections, from the most basic programs loaded on your laptop to sophisticated systems designed to anticipate future action, or watch for variations in the normal behavior of users.

But none of that has prevented cyberspace from becoming what President Barack Obama termed the “Wild, Wild West,” a territory of anarchy, where adversaries take free shots at one another. In the past five years, these attacks have become the cheapest way for nations to undercut one another in the name of bigger strategic goals.

Photo
President Emmanuel Macron in France is proposing that government authorities be able to take down “fake news” during elections. Credit Ludovic Marin/Agence France-Presse — Getty Images

Yet the world has been unable to decide what constitutes fair game, and what should be off limits. For years officials talked about their fear of a “cyber Pearl Harbor,” a devastating strike against the power grid that would turn out the lights from Boston to Washington, or London to Rome. That has not happened, save for limited strikes in Ukraine, widely attributed to Russian hackers, that seemed intended to send a message that they could attack critical infrastructure at any time. Countries have sensed what would happen if they went too far.

Instead, cyberattacks have taken a far more subtle turn. The Russian-led attacks on the 2016 American election — and similar efforts in France and Germany last year — are prime examples. While United Nations experts had been struggling to come up with “norms of behavior” in cyberspace, a consensus about what was off-limits — like attacks on power grids or safety systems, for example — few were thinking about the use of the technology to influence elections.

In fact, the election systems in the United States — the foundation of American democracy — were never on the list of “critical infrastructure” until Mr. Obama’s Homeland Security secretary, Jeh Johnson, added them in the last days of the administration. By then it was too late.

Infrastructure is only part of the problem. The evidence that has poured out of the United States after more than a year of congressional investigations has left no doubt that Russian hackers — working largely on behalf of two of Moscow’s spy services, the SVR and the GRU — did far more than use cyber tools to break into the Democratic National Committee and the accounts of key players in Hillary Clinton’s campaign.

The sophisticated use of “bots” to target key demographic groups with Twitter messages, Facebook ads and just ordinary-looking social media exchanges made it clear that we have entered a new world, in which states marry some of the oldest propaganda techniques with the newest ways to disseminate a divisive message.

Yet thinking about how to regulate that kind of activity is tying the West in knots. President Emmanuel Macron in France is proposing that government authorities be able to take down “fake news” during elections, declaring in his New Year’s speech that “if we want to protect liberal democracies, we must be strong and have clear rules.”

Yet those rules clearly could not survive in the United States, where First Amendment protections would prohibit the government from stepping in and declaring what is fake and what is not.

President Trump’s own declarations about what constitutes “fake news” — including articles about the Russian election activity — underscore the dangers of putting that power into government hands.

There are other complications. After the election hacks in the United States, many called for “real identities” on the internet, so the world would know exactly who is tweeting or posting. Sensible as it may sound, it would also be a boon to the Russians, the Chinese and any authoritarian government looking to crack down on dissent. In short, the best way to solve the problem of election meddling and anonymous attacks would be a dictator’s dream.

There have been a few successes in setting norms of behavior, particularly when it comes to banning child pornography or cracking down on intellectual property theft. But those are the easiest issues on which to agree.

The United States, for example, would never support rules that banned espionage. And what about rules prohibiting the placement of “implants” in foreign computer networks, so that in the future they could monitor activity or plant malware to bring a network down?

American and European officials raise the alarm whenever they find such implants in their electrical grids. But they also quietly place them in hundreds of thousands of foreign networks. That is how Presidents Bush and Obama got inside Iran’s nuclear enrichment site at Natanz, with the Stuxnet code.

It is a power that the United States and its allies, have no intention of giving up.

David E. Sanger is national security correspondent for The New York Times. His forthcoming book is “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.”

A version of this article appears in print on January 23, 2018, on Page A11, in The International New York Times. Order Reprints| Today’s Paper|Subscribe

close story-meta

Source: Nations Seek the Elusive Cure for Cyberattacks

SaveSave

Behavioral biometrics missing from cybersecurity

by Frances Zelazny | Jan 22, 2018 | Cybersecurity

Recently, there’s been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance.

These updates address the disturbing reality that our digital identities are surprisingly unsecure. More than 9 billion credentials have been stolen since 2013, giving cyber criminals an abundance of personally identifiable information to use to commit fraud, from account takeover attacks, to fraudulent credit applications and more. By combining NIST Framework guidelines with behavioral biometric identity proofing and authentication solutions, organizations can fight back against these shocking statistics to detect and prevent fraud.

What is the NIST Framework?

The NIST Cybersecurity Framework is a set of guidelines collaboratively formulated to give companies a starting place for evaluating, preventing and responding to cyber risk. Thirty percent of U.S. organizations use the NIST framework, including JPMorgan Chase, Merck & Co, Kaiser Permanente and Chevron Corporation. The NIST Framework focuses on five areas for reducing cyber risk: identify, protect, detect, respond, recover.

Rather than being shocked by each new data breach, ransomware attack or instance of fraud, companies are increasingly working to improve their cybersecurity posture, and not just internal information security professionals. Business leaders and c-suite level executives are waking up to the importance of putting resources behind their organization’s cybersecurity, from the insurance industry to financial institutions. Companies are finding the NIST Framework’s guidance particularly helpful in a time when cyberattacks are costly and growing at an alarming rate. Every 39 seconds, there is an attack on a computer with internet access and cyberattacks are priced at an estimated $400 billion globally per year.

Meeting NIST Framework Identity Management and Authentication Guidelines with behavioral biometrics: Behavioral biometrics are specifically designed to address the identity management and authentication guidance added under the “protect” section of the NIST Framework’s second draft. Using behavioral biometrics, organizations can employ advanced identity proofing and authentication technology to detect fraud and prevent unauthorized access.

Identity proofing with behavioral biometrics

The NIST Framework recommends that “identities are proofed and bound to credentials and asserted in interactions when appropriate.” Identity proofing is a process organization’s use to collect and verify information about a person for the purpose of an account opening or issuing credentials to that person. Most often, identity proofing is used to meet regulatory requirements and prevent fraud.

Typically, companies rely on database searches to verify user information entered into online applications. These traditional identity proofing methods are no longer sufficient, however, as the information required to open new accounts is readily accessible to cybercriminals due to large-scale data breaches. In fact, one in nine of all online accounts created in 2017 was fraudulent.

Behavioral biometrics fulfill NIST Framework guidance for identity proofing by monitoring user behavior when filling out online applications, not just that the correct information is entered. Working in the background, behavioral biometrics verify that online applications are being filled out by genuine users, not fraudsters, by testing for application fluency, navigational fluency and low data familiarity.

For example, fraudsters often use keyboard shortcuts and enter unfamiliar data in a way not exhibited by legitimate users. Based on these parameters, organizations can effectively verify user identity, in real-time, and experience less fraud.

Risk-based, multi-factor authentication and behavioral biometrics

The second update to the NIST Framework that behavioral biometrics can address relates to risk-based, multi-factor authentication. Specifically, the NIST Framework recommends that “users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).”

Behavioral biometrics go a step farther and meet these requirements by providing continuous authentication, not just single or multi-factor authentication. Rather than requiring users to provide a static identifier, like a password or fingerprint, behavioral biometrics monitor user behavior from login to logout to detect suspicious activity throughout a user session, not just at login. This is important because 100 percent of fraud occurs in authenticated sessions, clear evidence that traditional authentication methods are still failing to catch cybercriminals.

Even multi-factor authentication has already proven vulnerable to attack. Working behind the scenes, behavioral biometrics collect data on user interactions with a device, establishing a unique identity profile that can’t be duplicated. How one user moves their mouse, for example, can’t be recreated by a cybercriminal or remote access trojan. This entire authentication process takes place without the user knowing — a win for customer experience.

When needed, behavioral biometrics can also introduce additional authentication measures if suspicious activity is detected. This could be a prompt to enter a password or use another biometric like a fingerprint or facial scan. This type of multi-factor authentication is significantly more secure than knowledge-based security.

Using behavioral biometrics, organizations can meet and exceed NIST Framework guidelines around authentication to better secure users, online transactions and the business as a whole.

The NIST Framework is an excellent place for organizations to begin improving and updating their cybersecurity process. In June 2017, NIST also released a Special Publication (SP) 800-63, a document outlining Guidelines on Digital Identity. The document replaced outdated authentication and identity proofing recommendations with new ones, meant to align with the types of cyber threats organizations are facing today. This includes providing adequate identity proofing and authentication solutions to prevent unauthorized access, activities and transactions.

Advanced technology solutions, like behavioral biometrics, are helping organizations put NIST Framework recommendations into practice. When it comes to preventing fraud, account takeover, malware or other cyberattack, behavioral biometrics provide the best option for ensuring users are who they claim to be.

Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data. She provided testimony last year to the New York State Assembly’s banking committee on cybersecurity threats facing the U.S. financial industry.

Source: Behavioral biometrics missing from cybersecurity

Why Blockchains and Identity Go Together

by ROBERT HACKETT | Jan 22, 2018 | Blockchain, Cryptocurrency

One area of online life most ripe for disruption is identity: How does anyone really know you are who you say you are?

Nowadays, credit agencies and social networks like Facebook act as the main gatekeepers for identity. But a host of entrepreneurs are designing new solutions to this age-old Internet conundrum by using blockchain technology, the digital ledger system that underlies cryptocurrencies like Bitcoin.

A few such blockchain boosters participated in a panel discussion about identity at the Silicon Slopes conference in Salt Lake City, Utah on Thursday. There they claimed that these distributed, tamper-resistant databases can counter the monopolizing forces that have come to control people’s identities.

The most obvious failure of the current state of affairs is Equifax (efx), said Vinny Lingham, co-founder and CEO of Civic, a startup that offers identity verification via a blockchain.

“These centralized databases are central points of failure for your identity,” Lingham said, noting that in the case of a hack—as occurred with Equifax—all that information gets compromised.

“With the current model of identity, you’ve got honeypots,” said Timothy Ruff, co-founder and CEO of Evernym, a startup that has developed its own blockchain, Sovrin, to help people manage their identities. But in the blockchain world, “there is no big pile of data—it doesn’t exist,” he said.

Rather than sitting on a small set of web servers controlled by a single business, blockchain-based data can be dispersed across a sprawling network of machines. Advocates, like the ones on the panel, say this architecture can grant regular users more ownership over their own data.

Michael Sena, who heads product at uPort, an identity service built on the Ethereum blockchain, said that to be truly in control of one’s own identity—or “self-sovereign”—a person must be in control of the cryptographic keys that allow them to interact with an access said blockchains.

“To be self-sovereign, you can’t be dependent on a decentralized network,” Sena said. “There needs to be the ability for users to determine how they handle keys.”

Get Data Sheet, Fortune’s technology newsletter.

In other words, just because a blockchain is involved doesn’t magically mean people have more control over their data. The crypto keys, which function sort of like long, complex passwords for securing information, are, well, key.

“If you are the self-sovereign over something, you are the final authority,” Ruff said. “As morbid or brash as it sounds, you have to be able to fire your identity provider.”

If and when blockchain-based identity projects reach critical mass in terms of user adoption, they could help get more decentralized services—like cryptocurrency exchanges, file storage providers, and prediction markets—off the ground. For true believers, solving identity is the first step toward realizing what they deem to be the next wave of the web.

Lingham, despite being bullish on blockchains and their future, expressed skepticism about some of the present mania for cryptocurrencies. “Out of the 3,000-plus tokens out there, most of them are probably going to fail,” Lingham warned.

Source: Why Blockchains and Identity Go Together

Identity, Privacy, and Security

by Principal Analyst – Kaelyn Lowmaster | Jan 22, 2018 | Cybersecurity

The volume of personal data generated and collected by companies continues to expand exponentially, making it difficult to gauge where the borders of modern privacy should be drawn. That same explosion of data also multiplies vulnerabilities for companies and institutions, so fostering digital security will continue to be an inherently lopsided battle.

In Identity, Privacy, and Security, OWI takes a step back to look at privacy and security more broadly, and examine their relevance in a connected world. This paper also discusses how your company should start thinking differently about both concepts and how they relate to our Identity Building blocks, in order to improve your business and foster Trust and Safety.

Author:
Principal Analyst – Kaelyn Lowmaster

Editor:
Neil Hughes

Contributors:
Director of Education – Katie Stephens

The New Frontier Of Digital Privacy And Security

After a year of high-profile data breaches, shoddy institutional data management, and damaging cyber attacks, it’s unsurprising that anyone would feel cynical about privacy and security in the digital world.

But your company quite literally cannot afford to be complacent in the face of these challenges. As OWI has discussed in detail, you’re already in the personal data business, and the way your team navigates the shifting landscape of digital privacy and security will have a profound effect on customer trust levels as well as your bottom line.

OWI’s previous whitepapers have taken a look at why data stewardship and sound personal data management are core functions for any company or organization. In this whitepaper, we take a step back to look at privacy and security more broadly, and examine their relevance in a connected world. We’ll also discuss how your company should start thinking differently about both concepts and how they relate to our Identity Building blocks, in order to improve your business and foster Trust and Safety.

Privacy’s Not Dead — It’s Just Digital

The idea of privacy has undergone a massive shift in the internet age. Analog privacy typically meant the freedom from observation — confidence that no one was watching your actions, and that no one would know certain information about you unless you actively chose to tell them.

For connected consumers, though, carving out areas of total freedom from digital observation or data collection is not only an impossible goal to achieve, it’s often not a desirable one, either. We rely on nearly constant information sharing for basic daily services: Our phones’ GPS knows where we are, our home assistants listen for our voice, and our fitness trackers monitor our heartbeat. The average digital consumer owns four connected devices, and that number is likely to continue growing. That constant connectivity should not mean, however, that consumers must forfeit control for how their data is used.

Privacy as a concept is perhaps even more relevant now, when the sheer volume of identity about any given individual is so much larger than ever before. Our data-saturated context requires a new construct for thinking about the value and execution of privacy standards. To that end we’ve developed a new definition for digital privacy.

Building A Framework For Digital Privacy

Digital privacy — Freedom from the collection, use, monitoring, or sharing of personal data and digital activity without the user’s understanding, knowledge, or consent

This new definition provokes a series of important questions, such as:

What form should consumer consent take?
Who’s responsible for making sure a customer is informed?
What are permissible uses of personal data?

Here we’ll take a closer look at three key concepts — consent, transparency, and legitimate interest — to approach building this new framework for digital privacy. Each of these figures prominently in the EU’s General Data Protection Regulation (GDPR), indicating that not only are regulators devoting increased attention to digital privacy, but that principles of digital privacy will soon be enforceable with real monetary penalties for violation.

Consent

With some degree of personal information collection and use necessary for digital service provision, digital privacy should be centered around user consent of personal data usage. A consumer must give permission to service providers for the use and sharing of their identity data, and that data should not be used if that permission is withdrawn. Consent must be:

Active – A customer must choose to assent to data collection and use, either in writing, electronically, or verbally. Companies shouldn’t assume that silence equates to consent or present a consumer with a Terms of Service where “I Agree” is checked by default.
Genuine – Consent must constitute a real choice for That is, if they don’t agree with the way a service will be using their data, they can opt out of all or part of that service.
Specific – Consent should be solicited for each target function for which a service provider would like to use customer data. For example, if a user gives consent for a ride sharing app to use her location data so a driver can locate her, that does not mean that she has automatically consented to have her location data used for geographically targeted marketing. Service providers should ask individually for each use case.
Withdrawable – It should be as easy for a customer to rescind consent as it is for her to give it in the first place.
Informed – Customers should know, clearly and concisely, what their consent means and how their data will be used. That means service providers must be accurate, transparent, and consumer-centric when constructing Terms of Use and Privacy Policies.

Transparency

Meaningful consent requires an informed consumer. In order to give permission for their personal data to be used, customers first have to understand what information will be collected, how it will be used, and with whom it will be shared. Currently, most companies rely on lengthy, complicated, and opaque terms of service designed to reduce legal liability, rather than educate customers.

Protecting digital privacy means prioritizing consumer comprehension and transparency of data use policies. Companies should make sure their communications with consumers are:

Concise – Today, it would take the average customer nearly 250 hours a year simply to read the terms of service for the digital services she uses. Terms of service should be as brief as possible.
Comprehensive – Balancing completeness and brevity is perhaps the greatest challenge for companies when communicating data usage policies. Policies should state what data will be collected, how and by whom it will be leveraged, as well as when and with whom it will be shared. It should also offer a clear opt-out option for consumers who do not agree with the stated terms.
Audience-appropriate – Communications about personal data usage should also be clear, digestible, and free of technical details. Your customers, largely, are not data scientists, and they shouldn’t have to be in order to understand and approve of how their identity data is used.
Accessible – It should not be difficult for customers to track down data usage and privacy policies. This information should be readily available and easily accessible on company websites or direct consumer communications.

Legitimate Interest

Active consent isn’t the only standard for personal data processing, however. GDPR also leaves some room for legal information use based on a service provider’s “legitimate interest” — that is, when processing data is required to complete necessary business functions or carry out an agreement between a customer and a company.

Because there are so many routine business uses for personal data, the legitimate interest standard is meant to minimize friction in user experience when there is little risk that information usage will pose a risk to consumer privacy. When a ride sharing app customer enters her payment information to be billed for her trip, for example, she can reasonably expect that the company will use that information and share it with a payment processor. Completing that transaction is in the app’s legitimate interest, therefore asking for additional consent may not be necessary.

A few important points about legitimate interest and privacy:

Consumer interest wins – Determining the legitimate interest for processing personal data might involve weighing the goals of a company against the potential risks for customers. In GDPR, though, a company’s legitimate interest is always trumped by the interests or fundamental rights and freedoms of the data subject. Legitimate interest isn’t a corporate get-out-of-jail-free card.
The standard is meant to evolve – Legitimate interest is by design a flexible standard, meant to facilitate continuous assessment of personal data processing, even as technologies and services develop.
Transparency still applies – Even in cases where personal data is being processed based on legitimate interest, companies should still prioritize transparency and the principles outlined above in communicating their data processing practices.
Some data always requires consent– The flexibility of this standard also makes it tricky to apply. This is especially true where particularly sensitive data like biometrics or national identifier information is involved, or where a company collects information on individuals with whom it doesn’t have a pre-existing relationship. It’s best to err on the side of consent in order to foster Trust and Safety with customers.

With these principles of digital privacy intact, your company can begin to prioritize user-centric privacy standards without sacrificing customer experience.

Privacy Meets Security

Even if your company succeeds in developing an industry-leading privacy framework, the data you collect and process must be protected. A robust information security strategy is critical, particularly as personal information has been the target of increasingly frequent and damaging cyber attacks.

Conceptually, privacy and security are interrelated. They share underlying goals and tools: Both are aimed at protecting against unauthorized or unwanted disclosure of data, and similar cyber hygiene basics can help a company bolster both its privacy and security culture.

But the two ideas are not identical. The ultimate gauge of privacy is the customer ensuring that her data is not shared where she doesn’t want it to be. Security, though, is fundamentally an interest of the company — ensuring that all its digital assets, not just personal information, are safe from misuse. Security is not only necessary to safeguard digital privacy and the principles above, it also is one of the key pillars of Trust and Safety. Privacy requires security, and security regimes should be constructed with customer privacy in mind.

Building A Framework For Information Security

As with digital privacy, companies should approach information security with a few basic principles in mind. Confidentiality, integrity, and availability — often referred to as the CIA Triad — are the core elements of information security in practice. Here we’ll break down each concept with an eye to how they relate to identity data and the idea of consumer privacy.

Confidentiality

At its simplest level, security means limiting access to information. Only those who absolutely need to collect, view, or process a certain set of data should be able to do so. That includes two related but distinct types of confidentiality:

External – shielding data from unauthorized intrusion by people or processes outside of a company or its customers. This is often associated with perimeter cybersecurity.
Internal – shielding data from access by non-critical personnel or processing within a company or organization. This is usually a function of various Identity and Access Management (IAM) processes.

Both types of confidentiality are essentially identity problems: effective verification, authentication, and authorization processes are critical to ensuring that the right people, and only the right people, can handle sensitive information. This also requires accurately demarcating the appropriate classification of various data sets. Future OWI courses will examine IAM in more detail.

The principle of confidentiality also supports the privacy components of transparency and legitimate interest, so that customers know who is accessing their data and why, and can be confident that a service provider will prevent additional disclosures.

Integrity

In order for data to be secure, it must not only be kept safe from unauthorized access, but also from unauthorized modification. Maintaining information integrity means ensuring that data is dynamically correct over time, and that no one is able to make inappropriate or undetected changes or deletions. Simply, data integrity is how both customers and companies know that data can be trusted.

If unauthorized changes are made, robust information integrity processes also involve the ability to restore information to its correct, pre-altered state. Various technological tools, such as encryption or hashing algorithms, can help companies maintain integrity, especially when it is in transit.

The principle of integrity supports the privacy components of consent and legitimate interest, so that a user knows that accurate information about them is being used for authorized purposes. When users consent to the use of their personal data, they’re consenting with the assumption that the data will be accurate.

Availability

While security often focuses on preventing illegitimate data use, it is equally important that effective strategies enable legitimate use. Information availability means ensuring that data, systems, and critical functions are consistently available for authorized use when needed.

Restricting access to data and services can be as damaging as unauthorized access, and businesses learned a particularly painful lesson about the importance of data availability throughout 2017. Ransomware attacks, in which adversaries restrict access to an organization’s files until a ransom is paid, are estimated to have cost $5 billion of damage 2017, with an expected jump to $11.5 billion by 2019. Distributed denial of service (DDOS) attacks nearly doubled over 2016 levels. Regular hardware maintenance, sound backup and redundancy protocols, and regular software updates are important tools for ensuring data availability.

The principle of availability supports the privacy components of consent and legitimate interest, so that companies can reliably process data when required. This balances security and user experience in order to execute desired services.

The Identity Connection

Even as the volume and velocity of personal data collection continues to increase, the interrelated concepts of privacy and security are still fundamental to successful businesses. Privacy isn’t dead, and security is more important now than ever before — customers still have both legal rights and high expectations when it comes to the protection of their data, and the vast majority are not afraid to take action against a company they don’t trust with their personal information.

Identity, and the broad set of data we use to prove who we are, is inextricably linked with both privacy and security. Both are oriented toward making sure personal data is protected from unauthorized use, but both require companies to responsibly collect and manage personal data for legitimate uses. Constructing your company’s approach to each of the Identity Building Blocks with an eye to the privacy and security principles outlined here is necessary to cultivate Trust and Safety. In an economy that runs on data, you can’t survive if customers don’t trust you with theirs.

/.post
./block
/.content

Source: Identity, Privacy, and Security

SaveSave

DOD Wants to Transform Its Authentication Technology

by Phil Goldstein | Jan 22, 2018 | Cybersecurity, Identity Management

This article is very interesting, Nimbus-Key system could be the solution for their problem (Jose Bolanos MD).

The Defense Department has been trying to kill the Common Access Card for a long time. Before it does so, it wants to make it more like a commonly used authentication measure: the Personal Identity Verification (PIV) card.

Former DOD CIO Terry Halvorsen announced a two-year plan in June 2016 to move away from the CAC.

The CAC is a “smart” card about the size of a credit card, and is the standard identification issued to active duty uniformed service personnel, selected reserve, DOD civilian employees and eligible contractors, the DOD notes. It is also the principal card used to grant physical access to buildings and controlled spaces, and it gives users access to DOD computer networks and systems. Last year, the DOD tested alternatives to the CAC.

Before that replacement process is complete, the Pentagon wants to evolve the CAC to make it more like the PIV card, Andy Seymour, the DOD’s public key infrastructure manager, tells Federal News Radio. The goal is to bring more security and interoperability to the DOD’s authentication technology.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Directives Forthcoming for PIV Authentication

The PIV card was established during the George W. Bush administration under Homeland Security Presidential Directive-12. The PIV authentication certificate helps a federal user prove their identity to get access to secure systems and data. PIV cards allow users to receive, store, recall and send information in a secure manner by encrypting the data, the Veterans Affairs Department notes.

According to the National Institute of Standards and Technology (NIST), PIV authentication certificates on PIV cards (called “certs” for short in the IT security community) are “issued in a manner that satisfies the requirements for level of assurance 4 (LOA-4) for identity proofing, tokens, and token and credential management.”

“We are on the verge of releasing directives to the services that says you have 18 months to unlock the PIV certificate authentication that is currently on the card and start utilizing that for logical access,” Seymour tells Federal News Radio. “We are seeing the requirements that support PIV identity cert are more than what the CAC cert has.”

What’s behind the move? Seymour says “one of the big drivers” is to achieve “interoperability across the entire government space,” and not just DOD. The changes have been circulating in the military service branches for months and should not come as a surprise, according to Seymour.

“The identity management experts that I work with across the services all understand it. They all get it and know what it takes,” he tells Federal News Radio. “The Air Force folks already utilize this for other capabilities. They understand the PIV [authentication] and the certificate is on the CAC as we speak right now.”

In some of the military services, these authentications and certificates are locked and not viewable. For others, they can be unlocked.

There will likely be some hurdles ahead for DOD components, Seymour acknowledged. “They know it’s coming and they know it will be a challenge to reconfigure because you now have to look at the PIV [authentication] certificate instead of the CAC ID,” he says. “Some applications may have been using the email cert as identification and we will ask them to use the PIV [authentication] at the application level as well.”

The Benefits of a New Approach to Authentication

DOD likely wants to embrace the authentication approach taken by PIV because of how its authentication works. Federal News Radio reports:

NIST says the benefits of using the PIV authentication is systems and applications are using one certificate to perform a digital signature operation through the private key associated with the certificate, and that the system performing the authentication can verify the signature while also validating the certificate itself.

PIV cards can be used to access high-value systems and systems that require fewer security protections.

DOD is exploring other ways to improve the CAC, including something known as the opacity, which, Federal News Radio reports, “is protocol to protect contactless communication between the card and the system, and adding encrypted certificates that will let users do tap-and-go authentication.” This is crucial for first responders and others who need quick access to systems or facilities, the publication notes.

The effort to evolve beyond the CAC is an ongoing process, Seymour says. “The CAC is the anchor for everything for the DOD — physical access, logical access. It’s so difficult to try to do away with that and replace it with something else,” he says. “We are looking at a lot of multifactor authentication capabilities. We are looking at identity federation services. We are looking at federation with our mission partners. We’ve also got a big mobility program coming out of the Defense Information Systems Agency called Purebred that is going to help us with derived credentials on things like cell phones and make that user experience more frictionless and seamless.”

Source: DOD Wants to Transform Its Authentication Technology

Nucleus Vision Adds Blockchain and Technology Experts

by Value Walk Staff | Jan 22, 2018 | Cybersecurity, Identity Management

Nucleus Vision, the blockchain-based contactless identity management system and retail loyalty program powered by cryptocurrency, has today announced that Microsoft executive Ausaf Ahmad and digital currency experts Jaron Lukasiewicz and David Wachsman have joined as advisors to the company. Ahmad will serve as a blockchain technology advisor to Nucleus Vision. Lukasiewicz will advise the team on its business development and technical roadmaps, while Wachsman will guide the company’s long-term communications strategy.

See the press release below

Featured image: geralt / Pixabay

Nucleus Vision Adds Blockchain and Technology Experts as Advisors

Microsoft executive Ausaf Ahmad, blockchain veterans Jaron Lukasiewicz and David Wachsman join as advisors

New York, New York — January 18, 2018 — Nucleus Vision, the blockchain-based contactless identity management system and retail loyalty program powered by cryptocurrency, has today announced that Microsoft executive Ausaf Ahmad and digital currency experts Jaron Lukasiewicz and David Wachsman have joined as advisors to the company. Ahmad will serve as a blockchain technology advisor to Nucleus Vision. Lukasiewicz will advise the team on its business development and technical roadmaps, while Wachsman will guide the company’s long-term communications strategy.

Nucleus Vision CEO Abhishek Pitti said: “We are thrilled to have the support and guidance of Ausaf, Jaron, and David as advisors. Ausaf’s work managing Microsoft’s largest partners to drive blockchain and IoT innovation will be particularly helpful as we apply both technologies to the retail space, and Jaron’s vast experience as a blockchain entrepreneur and advisor to companies in the space will help us deploy and scale our platform for retailers. Furthermore, David’s experience developing media relations and communications strategies for the top companies in the blockchain space will prove indispensable as Nucleus Vision grows and scales.”

Ausaf Ahmad, the Internet of Things (IoT) and Blockchain Lead at Microsoft, has years of experience as a technologist. For the past two years, he has managed Microsoft’s largest and most influential partner ecosystem to drive key IoT and blockchain initiatives, along with overseeing key accounts for its Azure platform. Ahmad is also a veteran of Boeing, where he led analysis and design of commercial airplanes, and had a stint at Wall Street where he worked as an investment banking associate. Ahmad received his MBA from the Massachusetts Institute of Technology and his Master of Science degree in aeronautical engineering from Embry-Riddle Aeronautical University.

Ausaf Ahmad said: “I am very excited by the impact that Nucleus Vision will have on millions of customers and retailers around the world. Using its proprietary IoT sensor, Nucleus Vision is empowering brick-and-mortar stores to gain insights into previously inaccessible data about their customers. Add a blockchain-based loyalty program to the product offering, and you can see that Nucleus Vision is going to improve shoppers’ in-store experiences in clever and unprecedented ways.”

Jaron Lukasiewicz has been a notable figure in the cryptocurrency and blockchain industries since 2012. Lukasiewicz founded and served as CEO of Coinsetter, a New York City-based bitcoin exchange, which was acquired by Kraken, the world’s largest digital asset exchange in Euro volume, in January 2016. The sale was, at the time, the largest merger-and-acquisition deal in Bitcoin history. Lukasiewicz also served as CEO of Cavirtex (Canadian Virtual Exchange), the oldest and largest Canadian bitcoin exchange, which was also acquired by Kraken in 2016. Lukasiewicz graduated from Rice University on the President’s Honor Roll with a Bachelor of Arts in Economics.

Jaron Lukasiewicz said: “Nucleus Vision’s top-notch team and partnerships with a variety of industry leaders have primed the company for success. Its impressive application of blockchain technology to a real-world problem provides an innovative solution that will improve the state of the retail industry.”

David Wachsman is the Founder and CEO of Wachsman, the largest public relations firm specializing in digital currency and blockchain-based companies. Wachsman provides media relations, strategic communications, brand development, and corporate advisory services to many of the most indispensable companies in the financial technology, digital currency, and crypto-asset sectors. Wachsman represents prominent clients in the blockchain space, such as the Crypto Valley Association; Dash; Lisk; IOHK, the developers of Cardano; and Steemit. Previously, Wachsman led day-to-day operations for a boutique public relations agency in Manhattan and previously held roles in advertising, political affairs, and biotechnology.

David Wachsman said: “I am proud to join a project of the monumental vision and scope of Nucleus Vision. The company will radically transform the retail experience for millions of customers, and I am incredibly excited by this opportunity to develop a strategic plan for sharing Nucleus Vision’s milestones and achievements with the world.”

Due to high demand, Nucleus Vision closed its whitelist registration ahead of schedule on December 26, 2017, concluding with 47,146 registrants. Nucleus Vision plans to build the world’s first contactless identity management system and retail loyalty program powered by cryptocurrency.

For more information, please see the Nucleus Vision website at https://nucleus.vision/

Source: Nucleus Vision Adds Blockchain and Technology Experts

SaveSave

Network Defense That Moves the Attacker’s Target.

by Stephanie Kanowitz | Nov 1, 2017 | Cybersecurity

By Stephanie Kanowitz
Oct 30, 2017

A new cybersecurity appliance prevents hackers from being able to conduct reconnaissance and move laterally within a network.

Cryptonite’s CryptoniteNXT, which launched Oct. 26, is based on research funded by the Defense and Homeland Security departments into Moving Target Defense, which DHS defines as a way to increase complexity and uncertainty for attackers by “controlling change across multiple system dimensions.”

Delivered as a hardware appliance, CryptoniteNXT takes away hackers’ visibility into a network, making attacks more difficult and expensive.

It changes an endpoint’s view of the network into a dynamic, abstract structure, by “taking over how IP addresses are issued to the endpoints,” Cryptonite CEO Mike Simon said. That turns a once-static network into a moving target. It then maps the “obfuscated” network to the real one so legitimate traffic can flow normally across the network, but hackers’ east-west, or lateral, movement between endpoints is cut off.

“We enable any network to actively shield itself from cyberattacks by preventing reconnaissance,” an initial source of cyberattacks, Simon said.

CryptoniteNXT issues IP addresses on a temporary basis. As long as a session is active, a legitimate user has a Cryptonite token. But “as a hacker, if I come back later and try to use that temporary address as part of the planning and executing an attack, that will not work,” Simon said. In fact, if someone tries post-session to access those temporary addresses or the IP address that was in place before CryptoniteNXT was installed, the tool will trigger an alert.

“It will be an extremely high-value alert because we’ll know that someone was trying to [access] IP addresses they should not be,” Simon said. That alert goes to an organization’s security information management program within 30 seconds of the event occurring. It shows which user and IP source the address request came from, eliminating the need for the IT team to sift through network flow data or end-point analysis to determine the source of the problem, he added.

The appliance address three gaps identified by the National Institute of Standards and Technology’s Cybersecurity Framework, according to Simon. The first is protection. The guidelines ask agencies to install tools that would enable them to investigate and follow attack paths to track down the source. Using Moving Target Defense, CryptoniteNXT Net Guard stops attacks at the endpoint by mapping from the obscured network to the real one, enabling legitimate traffic to flow across the traditional network infrastructure.

The other two gaps are in detection and response. CryptoniteNXT detects blocked attempts by a compromised endpoint to access other applications and resources and issues alerts. “We’re telling you whether someone attempted to access something outside of segmentation policy and/or someone tried to access or address IP locations outside of what they’re able to do,” he said. “As soon as that comes into the SIM, you realize … they’ve already been blocked. You don’t have to worry about immediately investigating, but you know it was likely one of two things: a malicious attacker or a misconfiguration.”

Agencies don’t need to change anything about their existing infrastructure to make CryptoniteNXT work, Simon added. “Our approach was no software runs on endpoints, no software runs on servers,” he said. “We can use your existing switching equipment. We’re not going to make you change out anything.” Once the product is installed, he said, “immediately, without any configuration, the protection of reconnaissance data starts.”

There’s also no effect on end users because everything happens in the background. For instance, CryptoniteNXT uses FreeRADIUS, which will interact with RSA tokens or another two-factor authentication mechanism, and users will never know Cryptonite is there.

Network performance is a big concern for agencies when they add monitoring tools, but “we operate in some cases faster than the existing network,” Simon said. “That doesn’t mean there isn’t any latency. It means the latency in our device is very similar to another switch … in the network. Users don’t see any latency other than a normal device added to the network.”

Right now, Jason Li, vice president of network and security at Intelligent Automation, which spun off Cryptonite, is working with the Defense Information Systems Agency and DHS on a pilot deployment of CryptoniteNXT. He and a colleague were part of the original research into Moving Target Defense and identified the fundamental problems with existing cybersecurity, namely the ease of reconnaissance and lateral movement by hackers.

It has applications beyond DHS and DOD, he added. “This technology is universally applicable to all enterprise networks,” Li said. “We have totally changed the asymmetric nature of cybersecurity from the attackers have the upper hand to now the defenders have all the upper hand. That’s huge.”

Out of the gate, the company has several customers in the government, manufacturing, energy, and internet of things markets, and Simon said he’s working on building more business.

“This has been much needed. We’re approaching cybersecurity from a perspective that is in the hackers’ court. We’re giving them the advantage, and a lot of what we create is simply to track them down,” he said. “We need to be focused more on a defensive platform posture, and stop hackers vs. letting them into our networks.”

pager start pager end

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.

Source: Network defense that moves the attacker’s target

SaveSave

Cyber Threat Analytics: Putting the Human Back in the Loop.

by (ISC)2 Government Advisory Council Executive Writers Bureau | Nov 1, 2017 | Cybersecurity

By (ISC)2 Government Advisory Council Executive Writers Bureau
Oct 30, 2017

Source: Cyber threat analytics: Putting the human back in the loop

Cyber attacks have been increasing in speed and scope, demonstrating capabilities that are challenging the ability of even the fastest machines to respond. Security organizations in the government and the private sector alike have begun to realize that machine analytics alone cannot substitute for real-time communication between human analysts when confronting the current threat environment.

By any estimate, the WannaCry attack in May was the fastest-spreading self-propagating worm ever detected. It spread through unpatched Windows machines around the world in a matter of hours, with the Financial Times reporting that it affected more than 200,000 machines in the first round of attacks. The discovery of a “kill switch” prevented the payload from executing in most situations, but the worm caused significant damage as it propagated through unpatched networks. Security researchers continued to report “rebound” infections inside vulnerable Windows networks for several weeks. The attack exploited a vulnerability for which a patch existed, and defense consisted of a “fire drill” to deploy the patch in any vulnerable network.

A far more serious threat (and the first view into what type of damage can occur from a true zero-day attack) occurred with the Petya or NotPetya virus that took down the Ukrainian economy and several major international corporations in June. Petya exploited a vulnerability in software used by the Ukrainian government to handle tax and other financial transactions with individuals and businesses. Pharmaceutical giant Merck and Danish shipping company Maersk were both incapacitated by the virus within hours. Although the initial infection exploited a vector in the Ukrainian software, it spread throughout Windows networks in a manner that Microsoft has yet to explain.

Different from WannaCry, Petya’s purpose was destruction, not ransom. Affected machines in the management systems of Merck and Maersk were bricked, unrecoverable, and front-office functions were shut down within hours, according to Forbes. Maersk lost the ability to move its ships in or out of international ports for several days, effectively crippling a major part of the transportation network. Merck is still trying to recover production and packaging capabilities. According to sources familiar with the attack, the virus spread at machine speed, hitting tens of thousands of Windows systems within minutes of gaining access to a network, successfully defeating end-point sandboxing technologies by crashing the boxes before analytics could be completed.

The total impact was so shocking that on Sept. 20, the House Energy and Commerce Committee issued letters to Merck requesting testimony on the scope of the damage. The committee also has asked the Department of Health and Human Services to explain what the government intends to do about the situation.

A small hint of one solution was shown by the role played by the Healthcare Cybersecurity Communications and Intelligence Center (HCCIC), a fledgling threat analytics center that played a central role for HHS during the WannaCry incident.

HHS Senior Advisor for Healthcare Public Health Sector Cybersecurity Leo Scanlon, testifying at a June 8 hearing of the Oversight and Investigations Subcommittee of the Energy and Commerce Committee, described the role that a small threat-sharing watch floor played in supporting emergency response capabilities that the agency typically brings to natural disasters.

The watch floor supported a group of analysts who were tracking events in real time and communicating with private-sector partners through the National Healthcare Information Sharing and Analysis Center. This network provided real-time updates on current intelligence and was able to dispel rumors and bad guidance that proliferated on the internet. Organizations with capabilities to reverse engineer malware samples made their findings known hours and days ahead of official information from other government sources, putting HHS out in front of other government agencies in responding to the crisis.

The secret to the watch floor idea is that it puts the human back in the analysis loop. Automated sharing of threat indicators has been widely heralded as the “silver bullet” to defend against automated attacks. The Department of Homeland Security, for example, has a much-publicized program called Automated Indicator Sharing, which provides threat indicator reports to its subscribers. The reports are formatted and transmitted using protocols that can be consumed by network defenses and deployed at machine speed. The problem with this effort, and the many commercial variants that provide enormous amounts of similar threat data, is that there is no way to ingest and consume the information without analyzing it to determine if it is valid, or relevant to a particular environment.

That type of analytical work can only be done by highly trained specialists who know their networks and who can compare notes with colleagues in real time. Linking those groups of analysts to each other is a primary goal of the HCCIC, according to its director, Maggie Amato. Speaking at the (ISC)2 CyberSecureGov conference in June, Amato said the agency was building links with DHS, the Defense Department and private sector partners that would strengthen resilience for the entire sector. “We really do want to get to a place where we are collaborating with each other and cooperating across the board, having dynamic threat sharing and not just automated indicators,” he said.

Cybersecurity watch floors are being integrated with state and local level emergency response fusion centers. New Jersey has established the NJCCIC, California has numerous centers that serve as hubs for universities and localities and the Los Angeles Integrated Security Operations Center is recognized globally as a leader in municipal cybersecurity.

The trend is clear with these developments — defenders must share and crowdsource the same way the attackers do — the machines can’t do that on their own. The most important outcome of this human analytical activity will be much-needed context about new attack mechanisms and how they are used to exploit vulnerabilities in ways specific to different sectors. This understanding of tactics and techniques, in context, will add a critical degree of resiliency that is now lacking.

Source: Cyber threat analytics: Putting the human back in the loop

SaveSave

« Older Entries

Next Entries »

Japan a global leader in cryptocurrency investment | The Japan Times

Biotech M&A takes off as Sanofi and Celgene spend $20 billion

BUSY START

Nations Seek the Elusive Cure for Cyberattacks

Behavioral biometrics missing from cybersecurity

Why Blockchains and Identity Go Together

Identity, Privacy, and Security

The New Frontier Of Digital Privacy And Security

Privacy’s Not Dead — It’s Just Digital

Building A Framework For Digital Privacy

Privacy Meets Security

Building A Framework For Information Security

The Identity Connection

DOD Wants to Transform Its Authentication Technology

Directives Forthcoming for PIV Authentication

The Benefits of a New Approach to Authentication

Nucleus Vision Adds Blockchain and Technology Experts

Nucleus Vision Adds Blockchain and Technology Experts as Advisors

Microsoft executive Ausaf Ahmad, blockchain veterans Jaron Lukasiewicz and David Wachsman join as advisors

Network Defense That Moves the Attacker’s Target.

Cyber Threat Analytics: Putting the Human Back in the Loop.

Recent Posts

Archives

Categories